EU Moves to Block High-Risk Foreign Tech Over Cybersecurity
▼ Summary
– The European Commission has proposed new cybersecurity legislation to mandate the removal of high-risk suppliers from telecom networks and strengthen defenses against state-backed and cybercrime groups.
– This proposal follows the uneven application of the EU’s voluntary 5G Security Toolbox and addresses concerns about high-risk vendors, such as Chinese companies Huawei and ZTE.
– The legislation grants the Commission authority to conduct EU-wide risk assessments and support bans on equipment in sensitive infrastructure, with member states jointly assessing risks across 18 critical sectors.
– It includes a revised Cybersecurity Act to secure ICT supply chains, streamline certification procedures for companies, and empower the ENISA agency to issue threat alerts and assist with incident response.
– ENISA will also establish cybersecurity skills schemes and an academy to build a European workforce, with the Act taking effect immediately upon approval by EU institutions.
The European Commission has introduced a significant legislative proposal aimed at fortifying the bloc’s digital defenses. This new cybersecurity package seeks to mandate the removal of high-risk foreign suppliers from critical telecommunications networks, addressing long-standing vulnerabilities. The initiative represents a shift from voluntary guidelines to enforceable rules, empowering authorities to take decisive action against threats to essential infrastructure from both state-sponsored actors and cybercriminal organizations.
For years, European officials have grappled with the inconsistent application of the EU’s 5G Security Toolbox, a set of non-binding recommendations launched in 2020. The toolbox was designed to reduce dependencies on vendors perceived as potential security risks, but its voluntary nature led to a patchwork of national approaches. The new legislation is a direct response to this fragmented implementation, creating a unified, mandatory framework.
While the proposal carefully avoids naming specific corporations, the context makes the target clear. Concerns about Chinese tech giants like Huawei and ZTE were central to the original 5G discussions, and the updated rules provide a legal mechanism to restrict or ban equipment from any supplier deemed a national security threat. The Commission would gain the authority to coordinate EU-wide risk evaluations and support collective action against problematic technology used in sensitive sectors.
The package grants the Commission new powers to organize comprehensive risk assessments across the European Union’s eighteen critical infrastructure sectors. These evaluations will consider the country of origin for equipment and the broader implications for member states’ security. “Cybersecurity threats are not just technical challenges. They are strategic risks to our democracy, economy, and way of life,” stated EU tech commissioner Henna Virkkunen. She emphasized that the package provides tools to better protect supply chains and decisively combat cyber attacks, calling it a vital step for European technological sovereignty.
A revised Cybersecurity Act forms the core of this legislative push. It is specifically crafted to secure information and communication technology supply chains by legally requiring the exclusion of high-risk vendors from mobile networks. Beyond restrictions, the act aims to simplify compliance for businesses. It streamlines certification processes, allowing companies to participate in voluntary schemes managed by the EU Agency for Cybersecurity (ENISA) to reduce regulatory burdens and associated costs.
The enhanced role for ENISA is a cornerstone of the strategy. The agency will be empowered to issue early warnings about emerging threats and operate a centralized portal for incident reporting. It will also assist companies in responding to ransomware attacks, coordinating closely with Europol and national computer security response teams. To address a chronic skills shortage, ENISA will develop EU-wide cybersecurity skills attestation programs and launch a pilot Cybersecurity Skills Academy, fostering a stronger, homegrown workforce.
Upon formal approval by the European Parliament and the Council of the EU, the Cybersecurity Act will become law immediately. Member states will then have a twelve-month period to transpose the new cybersecurity amendments into their national legal systems, setting the stage for a more cohesive and resilient digital defense posture across the continent.
(Source: Bleeping Computer)
